All of the release distribution packages have been digitally signed
(using PGP or GPG) by the Apache Group members that constructed them.
There will be an accompanying distribution.asc file
in the same directory as the distribution. The PGP keys can be found
in the MIT key repository (hkp://pgp.mit.edu), the OpenPGP Public Key
repository (hkp://subkeys.pgp.net), and within this project's KEYS file,
which is located within each download directory.

Always use the signature files to verify the authenticity
of the distribution, e.g.,

We offer MD5 hashes as an alternative to validate the integrity
of the downloaded files. A unix program called md5 or
md5sum is included in many unix distributions. It is
also available as part of GNU Core Utilities package.